Industry - Data Breach
Executive Summary
Threat actors exploited a security breach at market intelligence platform Klue to steal OAuth tokens, which they used to access and exfiltrate Salesforce CRM data from multiple organizations over a 24-hour period using automated scripts. The attackers, identified as a relatively new extortion group called "Icarus," are now demanding ransom payments from affected Klue customers. Salesforce has disabled the Klue Battlecards integration while the incident is investigated, preventing organization...
What Happened
On June 18, 2026, threat actors exploited a security breach at Klue, a market intelligence platform, to steal OAuth tokens that granted access to customer Salesforce CRM instances. The attackers, identified as a group called 'Icarus,' used automated Python scripts to query Salesforce's REST API over a 24-hour period, systematically mapping and exfiltrating customer relationship management data from multiple organizations. Salesforce responded by disabling the Klue Battlecards integration across its platform while the breach is investigated.
Who Is Affected
Multiple organizations using both Klue's market intelligence services and Salesforce CRM are affected, with cybersecurity firm Huntress confirming its own Salesforce data was stolen. Any company that had installed the Klue Battlecards integration and connected it to their Salesforce instance potentially had sensitive CRM data - including customer information, sales records, and business intelligence - accessed and exfiltrated. The Icarus group has already begun sending ransom demands to impacted Klue customers.
Why It Matters
This incident demonstrates how third-party integrations can become vectors for widespread data theft across multiple organizations through a single point of compromise. The OAuth token abuse allowed attackers to bypass direct authentication and access data as a trusted service, highlighting systemic vulnerability in how cloud platforms authorize third-party applications. The attack methodology mirrors previous campaigns by groups like ShinyHunters, suggesting this supply-chain exploitation technique is becoming a repeatable pattern for extortion operations targeting business-critical data stored in widely-used platforms like Salesforce.
What You Should Do
If your organization uses Klue's Salesforce integration, immediately review your Salesforce access logs for unusual API queries to endpoints like '/services/data/v59.0/sobjects' and '/services/data/v59.0/query' occurring around June 17-18, 2026. Revoke all OAuth tokens associated with the Klue Battlecards application and audit which third-party applications have access to your Salesforce instance, removing any that are not essential. Contact Klue directly to determine if your organization was affected and monitor for extortion emails from threat actors, which should be reported to law enforcement rather than responded to directly.
Summary generated from verified sources and reviewed before publication. How we summarize.
Sources